              Disassembling the Spectrum ROM

             Okay, so you can decode your ROM.
            But where does it get you? In this
               article, David Horne looks at
                  practical applications.

[ This is an odd one. The title is Disassembling the
  *Spectrum* ROM, and there's a drawing of a Speccy
  illustrating the article. Nevertheless, the text
  starts by mentioning the ZX81, and all the numbers
  given in the article are correct for the ZX81. The
  Spectrum is only mentioned in the final paragraph.
  Almost all the tables are for the ZX81, and are
  incorrect for the Spectrum. Although both machine's
  tables are similar in essence, all the actual
  numbers are different.
  In the text below, I've left the numbers as they
  were, but added the Spectrum values between [square
  brackets]. I've also added a few other remarks in
  the same way.
  You should be able to find, in the same place where
  you got this text, a TZX file with the Spectrum
  versions of the programs described below.
                           Richard Bos, February 2012 ]

For practical purposes, decoding the ZX-81 ROM gives the
average user a list of symbols and numerals which provide
a level of understanding little different from the original
mass of numerical output. The resultant listings from the
disassembled published in July's Your Computer unlock the
power of the ROM, enabling machine-code programmers to use
sections of code within their own programs. This should
help you a little further along.
  The value of a disassembler is significant only if you
can use segments of the code within your own programs.
  A further breakdown of the ROM routines is required to
discover where each machine-code block begins. I have con-
tinued the theme of producing Basic equivalents to the
machine code to preserve a degree of familiarity for those
whose machine-code experience is limited.
  From Address 3113 [6728] to 3143 [6777] is a list of
pointers - table 1. Address 3113 [6728] is taken as the
starting point and the contents of the address are added
to the address to provide a pointer to another address.
Figure 4 demonstrates this function provided by the Basic
program in figure 3.
  The result is an address which further points to the
class of command being considered and the address of the
machine code for that command in ROM. The commands start at
code 225 - LPRINT [206- DEF FN], which is defined in ROM as
command 0 up to code 255 (COPY), which is defined in ROM as
command 49. Therefore if we follow DEF FN through, we see
that it is defined as command 0 and points to address 
3113 + 139 = 3252 [6728 + 177 = 6905].
  Figure 1 shows the contents; address 3252 and that which
follows. [It barely did. There's no Spectrum alternative;
your best bet would be to get a proper disassembler, rather
than the home-spun one used by Mr. Horne, and get it to do
a decent listing from address 6905.] The first address
contents give the class of command; these are found in
table 2 which commences with class 0 at address 3350. [7169
on the Spectrum; see the final paragraph for the table.]
The class determines the attributes of the commands and
also whether there should be a separator or not:
        POKE A,B
A and B are attributes, the comma is the separator.
  If the class is 0 or 5, then the next address contains
the address of the routine in ROM. Otherwise further
attributes or separators follow, until a class 0 or 5 is
reached.
  Figure 1 gives an initial breakdown of the first three
parts of ROM command tables. You can decode the remainder
if you wish; the same technique is used to unravel the
class tables.
  Where does this lead us? You can call the Basic class 0
commands from within your own machine-code programs.
        201 105  8 CALL 2153
       [205 172 14 CALL 3756 - 
        and yes, that first byte should be 205 - CALL -
        instead of 201 - RET - on the ZX81 as well.]
will copy the screen to the printer,
        CALL 3883 will set slow mode
        CALL 3883 will set fast mode
       [There is no equivalent of these
        on the Spectrum, of course.]
there are others; what can you do with them?
  Figure 5 gives the Basic program for decoding this parti-
cular table and figure 6 the unraveled response.
  As I said, the Basic programs are simplifications and
really only pick out the essentials of the machine code.
Figure 2 gives the ROM table decoder; if you followed the
series on machine code, neglecting the RC32 and RS24, it
should start to make sense. [I'm not entirely sure where
the Spectrum's equivalent begins - 6962 is my best guess -
but in any case, what with multiple-statement lines and 
other enhancements, it's certainly more complicated than
the ZX81's.]
  The Spectrum tables are decoded in a similar manner, but
in order not to fill the magazine with machine-code list-
ings of the ROM, I have just presented the final decoded
tables, figures 7 and 9, and the Basic programs for de-
coding the Spectrum ROM tables, figures 8 and 10.

[ The article was accompanied by 12 listings. For some
  reason, the first two were called "Table" 1 and 2,
  even though "Figure" 1 and 2 were in the same format:
  that of a listing from Mr. Horne's own, rather limited
  disassembler. This disassembler was published several
  months earlier, also in Your Computer, and a few months
  after that (September 1982; this article was in the
  January 1983 edition) a version for the Spectrum was
  featured. You should be able to find the latter at
  World of Spectrum, and perhaps on other sites such as
  The Type Fantastic, but be aware that it is unsuitable
  for serious use.

  Table 1 and 2, and Figure 1, were dumps (in disassem-
  bly form, inappropriately) of the various tables
  described in the article. Figure 2 was a disassembly
  (this time with reason) of the start of the ROM's
  table decoder. As noted at the top, these were the
  ZX81's versions; Spectrum versions are probably best
  found by either loading a professional disassembler
  or, these days, asking your emulator.

  Figure 3 and 4 were a program to list the raw data
  of the command index in a more useful form, and its
  output. Again, only a ZX81 version was given, but it
  was simple enough to translate, so a Spectrum version
  (two, actually) is found on the TZX.

  Figures 5 and 6 were a program to list the command
  parameter table, and its output, for the ZX81;
  figures 7 and 8 were the same for the Spectrum. The
  latter is on the TZX.

  Finally, figures 9 and 10 were a program to list the
  class routine table, and its output, this time for
  the Spectrum only. These were not given for the ZX81,
  for a reason that escapes me; the raw ZX81 data for
  this was in Table 2. The Spectrum program is also
  on the TZX, making four Spectrum programs in all. ]